STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Anduril NixOS Security Technical Implementation Guide

V-268101

CAT II (Medium)

NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.

Rule ID

SV-268101r1131004_rule

STIG

Anduril NixOS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000139, CCI-001855

Discussion

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134

Check Content

Verify NixOS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep -w space_left_action /etc/audit/auditd.conf

space_left_action = syslog

If the "space_left_action" parameter is missing, commented out, or set to blanks, this is a finding.

If the "space_left_action" is set to "syslog", the system logs the event, but does not generate a notification, this is a finding.

If the "space_left_action" is set to "exec", the system executes a designated script. If this script does not inform the SA of the event, this is a finding.

If the "space_left_action" is set to "email" check the value of the "action_mail_acct" parameter with the following command:

$ sudo grep action_mail_acct /etc/audit/auditd.conf

action_mail_acct root@localhost

The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct" parameter is not set to the email address of the SA and/or ISSO, this is a finding. 

Note: If the email address of the SA is on a remote system, a mail package must be available.

Fix Text

Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

If the space_left_action parameter is set to "syslog", make sure the event being logged generates a notification to the SA and ISSO.

If the space_left_action parameter is set to "exec", make sure the command being executed notifies the SA and ISSO.

If the space_left_action parameter is set to "email", set the action_mail_acct parameter to an email address for the SA and ISSO.

Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:

  space_left_action = syslog

For example, an updated configuration of 'environment.etc."audit/auditd.conf".text' would look like the following ('...' denoting that the 'environment.etc."audit/auditd.conf".text' configuration may have other options configured):

 environment.etc."audit/auditd.conf".text = [
  ''
   ...
   space_left_action = syslog
   ...
  ''
 ];

Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch